Heartbleed – Impacts & Mitigation for Fund Managers

At IP Sentinel we set up FCA compliant IT systems, policies and procedures for small and start-up Fund Managers and act as a virtual CTO for them as they grow. Heartbleed is all over the news right now and just in case you or your management want to know more, we’ve written this blog post.

Heartbleed is a bug in OpenSSL (encyption libary) which allows anybody on the internet to steal bits of memory from the server and search for useful keys or data. With this info they are able to sit back and watch encrypted traffic or to logon as whomever credentials they have captured.

This means that most (non IIS) websites use to secure https:// traffic should be considered unsafe. Consequently Online Banking is off limits until confirmation is sought from the Bank that they are unaffected or have fixed the bug. This will also require them to re-certify their domain with their certificate vendor. Same goes for banking apps.

Likewise any prime broker, administrator, supplier or vendor communications that are done over the internet and secured by https:// should be considered insecure unless confirmed otherwise.

More pernicious there is a long list of hardware vendors (Cisco, F5, Aruba, Blue Coat, Fortinet, Juniper, Sophos, WatchGuard) that provide VPN concentrators and SSL type transports/walled gardens for users who have included the buggy version of OpenSSL in their software. VPN or web based authenication using these methods should be considered insecure until you have patched your hardware.